Evernote User Accounts Compromised

Evernote, today, reported that they detected and blocked suspicious activity on their network. As a precaution, they say, they’ve implemented a password reset for all users. When I first read about this, it sounded as if they had already reset your password and you would need to have it emailed to you. Instead, an email sent out instructed users to log in and change their passwords upon login.

What Happened?

Anything I say here would be purely speculation. However, attacks are often as simple as a SQL injection. This usually happens when a website takes user input (like a contact form or blog comment form) and does not properly run it through the ringer before adding it to a database. It’s more common than you think. For anyone interested in a more technical view of security vulnerabilities, check out OWASP’s Top 10 Project. In reality, any number of things could have let in a hacker and it’s too early to say for sure.

Should I Worry?

This is a two-part answer. First, your Evernote account is fine. According to Evernote, no data stored was lost or accessed (other than your credentials, of course). Just reset your password and you should be OK. Your other accounts, may not be, however. Take a look at the most important part of Evernote’s statement:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

This tells me that my username, email and encrypted password are out there in the hands of a hacker and because Evernote is a large service, it wouldn’t surprise me if a torrent file of this information shows up for download by anyone with an internet connection. “hashed and salted” means that, like they said, it’s one-way encryption. A hacker can try to encrypt a word using the same methods and see if it matches the blob of characters next to your username, but they can’t directly decrypt your password. This is important, but if your password was cracked, the hackers would now have a username/email/password combination to try on many other services. If I were that hacker, I would start with other cloud services, namely Apple’s. If you use the same username and password anywhere else, you should change your password there, too.

How To Protect Yourself

While websites and online services have legal and ethical obligations when it comes to storing your information, you should have some rules of your own.

Use a secure password that you can remember. The word “password” is sadly not only the most insecure password, but also the most popular. If it was easy for you to come up with and type in, it’s likely easier to crack. Don’t use your birthday, any word that can be found in a dictionary, or anything someone could guess with a little information about you.

Don’t write it down if you can help it. If I was in your house and wanted to get into your computer, the first place I would look is under your computer. Shockingly often, people just put their password on a sticky note and stick it to their monitor. The password is only as good as the user. Protect it like you’re protecting what it gets access to. If you wouldn’t leave your life’s savings on your desk, don’t put your password to it there, either.

Split up your passwords. This is a hard pill to swallow, but you absolutely should use a different password for each site. The cost is convenience, but the reward is not having every account you have hacked just because one site let your password get out. If this is too hard for you, use individual passwords for any site with finances, or sensitive information and another “global” password for the 150 other sites that are less critical.

Don’t just stick to one rule, either. I know from experience that thinking you’re doing so awesome with one rule (like having an incredibly hard to crack password) excuses you from the other rules is a good way to get hacked.

The Sky Is (not) Falling!

It’s Friday, but it’s not just any Friday. Today is the day the world ended… again.

Once again, we seem to have survived what so many thought would be the end of the world and it was based on the end of the Mayan calendar yet again. While we didn’t see anyone going completely off the deep end (not that I’ve heard, anyway), there was still an obscene amount of stupid reactions to this possible once in a lifetime event.

This time around, we saw schools closing early and score of news outlets asking people what they would do if the world was ending tomorrow. With answers like “I’d rob a bank”, it’s hard to not be cynical about the mindset of people in today’s society. The movie http://www.imdb.com/title/tt1307068/ does a great job of capturing this cynicism, and the video below says what a lot of us are thinking.

The video actually sums things up very nicely with a mention of NASA’s blog post that points out that we have achieved and discovered so much as with modern science and the Mayans couldn’t predict their own downfall. Either way, we’re here for the foreseeable future, so we can give the Mayans and their calendar a rest.

Power To The Online People

“After an earthquake hit the east coast, people in NYC read tweets about the quake 30 seconds before they felt it.” That’s some pretty powerful stuff. It’s the power the internet community wields in communication and it has forever changed how we get information. Even President Obama took to Reddit today to field questions from the average Joe. Check out this infographic about the power of online communication and some of the amazing things it has brought us in the last few years.

Power To The Online People

Created by: Open-site.org